Hiroki-san, please check if you need to apply https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=37ed5022cecd584de868933b5b60da2e995b3179;hp=afec45259049d3940abb0134c67abf8869123b74 for Ghostscript9 ports - the patch would apply cleanly. If that is the way forward for ghostscript9, please also update the range in the vulndb entry - we already have one for ghostscript10. I am about to mark ghostscript7 and 8 FORBIDDEN on main.
Created attachment 241660 [details] Upstream's patch and a portrevision bump This is the patch Matthias linked to, formatted for ports. It builds fine with poudriere testport on FreeBSD 12.4 on amd64, but that's the extent of the testing I've done.
I can confirm that ghostscript9-agpl-base compiles and runs successfully on 13.1-RELEASE-p7. However, I don't know how confirm whether the patch fixes the CVE. And if we take the current vuln.xml entry for CVE-2023-28879 at face value, upgrading to anything less than 10.01.0 won't fix the vulnerability. Also, ghostscript9-agpl-x11 RUN_DEPENDS on ghostscript9-agpl-base, so does this patch take care of the vulnerability for the x11 version also? Should the x11 version's PORTREVISION be bumped as well?
(In reply to George Mitchell from comment #2) I found a decent writeup of the bug at https://offsec.almond.consulting/ghostscript-cve-2023-28879.html and if no-one beats me to it I'll try some of their proofs of concept as a test case. I think the vulndb data for this bug is incorrect; looking at https://git.ghostscript.com/?p=ghostpdl.git;a=shortlog;h=refs/tags/ghostpdl-10.01.1 it seems version 10.01.0 was released before the fix, i.e. is still vulnerable. My reading of https://vuxml.freebsd.org/freebsd/25872b25-da2d-11ed-b715-a1e76793953b.html is that version 10.01.0 will be erroneously considered fixed. I'm not sure how FreeBSD as a whole feels about backporting security fixes; personally I'd prefer to do that and mark ghostscript9-agpl-base >= 9.56.1_10 as not affected, than get more than eighty ports to update to using ghostscript10. I am very new here, though. I think you're right that ghostscript9-agpl-x11 will need a PORTREVISION bump. I'm not certain, and I'll do some testing to find out. If you are certain, then please bump it.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e73586a6d60ae9695b97962977807af6889b1525 commit e73586a6d60ae9695b97962977807af6889b1525 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-04-21 18:09:19 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-04-21 18:09:19 +0000 security/vuxml: fix up ghostscript version range of CVE-2023-28879 Pointy hat to: mandree@ for misreading the quoted Artifex page Reported by: Nicholas Taylor <nicholas.e.taylor@gmail.com> PR: 270823 (comment #3) Security: CVE-2023-28879 Security: 25872b25-da2d-11ed-b715-a1e76793953b security/vuxml/vuln/2023.xml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-)
Nicholas, thanks for pointing out that I botched the vulndb entry 🙈. Corrected.
Created attachment 241671 [details] Proof of concept for CVE-2023-28879 I think (but note I am not an information security professional) that the attached postscript, cobbled together from https://offsec.almond.consulting/ghostscript-cve-2023-28879.html and https://github.com/AlmondOffSec/PoCs/blob/master/Ghostscript_rce/debian_10.0.0.ps , should exercise this bug. Good output (i.e. not vulnerable): % gs poc.ps GPL Ghostscript 9.56.1 (2022-04-04) Copyright (C) 2022 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. 4848484848484848 Bad output (i.e. vulnerable): % gs poc.ps GPL Ghostscript 9.56.1 (2022-04-04) Copyright (C) 2022 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. 0000000803E21C57 Bus error (core dumped) Note that the eight bytes of hex just before the bus error in the bad output are heap content and may be different on your machine; I was using ghostscript9-agpl-base-9.56.1_8 from packages for the bad output.
(In reply to Matthias Andree from comment #5) Related: I wish CVEs would stop using "through" when "up to and including" is clear and unambiguous. It took me an embarrassingly long time to check that.
Oh yes. Colloquial language is unsuitable for technical specifications. And don't get me started on people confusing trigonometric functions (sec) with time quantities (s). But those are other items on the wish list. The first item was having your FreeBSD committer "write proper vulnerable versions range" into the VuXML item and use the _fixed_ version in the less-than (but-not-equal) relation. Sorry again.
I would suggest PORTREVISION also be bumped for print/ghostscript9-agpl-x11. The VuXML data must thus recognize 9.56.1_10 (base) and 9.56.1_1 (x11) as fixed.
Created attachment 241690 [details] Patch to update ghostscript9-agpl-x11 PORTREVISION (In reply to Trond.Endrestol from comment #9) Here's a patch to update ghostscript9-agpl-x11's PORTREVISION. It compiles.
Okay (at this stage mostly for my own education, if George Mitchell and Trond.Endrestol both think print/ghostscript9-agpl-x11 needs bumping they are probably right): 1. Bumping the portrevision of print/ghostscript9-agpl-base doesn't force a reinstallation of print/ghostscript9-agpl-x11. 2. print/ghostscript9-agpl-x11 just installs the X11 device for Ghostscript: % pkg info -l ghostscript9-agpl-x11 ghostscript9-agpl-x11-9.56.1: /usr/local/lib/ghostscript/9.56.1/X11.so /usr/local/share/licenses/ghostscript9-agpl-x11-9.56.1/AGPLv3 /usr/local/share/licenses/ghostscript9-agpl-x11-9.56.1/LICENSE /usr/local/share/licenses/ghostscript9-agpl-x11-9.56.1/catalog.mk 3. Fixing CVE-2023-28879 for print/ghostscript9-agpl-base fixes it for a system on which print/ghostscript9-agpl-x11 has not been updated: Before (stock ports tree): % pkg info | grep ghostscript9 ghostscript9-agpl-base-9.56.1_9 PostScript and PDF interpreter ghostscript9-agpl-x11-9.56.1 PostScript and PDF interpreter, X11 support % gs -sDEVICE=epson poc.ps GPL Ghostscript 9.56.1 (2022-04-04) Copyright (C) 2022 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. 000000080404CFD7 Bus error (core dumped) After applying attachment #241660 [details] [1] but not attachment #241690 [details], and rebuilding with poudriere: # pkg update ... # pkg upgrade ... Installed packages to be UPGRADED: ghostscript9-agpl-base: 9.56.1_9 -> 9.56.1_10 libxml2: 2.10.3_2 -> 2.10.4 ... % gs -sDEVICE=epson poc.ps GPL Ghostscript 9.56.1 (2022-04-04) Copyright (C) 2022 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. 4848484848484848 4. I don't think an unpatched X11 Ghostscript device can reintroduce this vulnerability (it's in the Postscript interpreter) but I am currently having trouble forwarding X from the testing jail in a way Ghostscript will believe. This is due to my past poor decisions and I'll fix it, it's just taking a while. [1] And attachment #241552 [details] from bug #270906 which was lurking in my "ahead-of-stock" ports tree; I don't think it affects the results.
(In reply to Nicholas Taylor from comment #11) I'm really not sure it's necessary to bump ghostscript9-agpl-x11's PROTREVISION, but I thought I'd provide the trivial patch in case it was needed. If the vulnerable code is entirely inside ghostscript9-agpl-base, then changing the x11 port probably in unneeded.
(In reply to George Mitchell from comment #12) Then the -x11 port shouldn't be mentioned in the VuXML data. It's a “passive port.”
Created attachment 241800 [details] Modify vulndb to account for fixes in this PR
Okay, after overcoming past poor decisions I was able to test the behaviour of a patched ghostscript9-agpl-base with an unmodified ghostscript9-agpl-x11. To nobody's very great surprise, this combination is not vulnerable. So, please could attachment #241800 [details] and attachment #241660 [details] be applied as patches to the ports tree? The first marks ghostscript9-agpl-base 9.56.1_10 as fixed and removes all mention of ghostscript9-agpl-x11. The second patches ghostscript9-agpl-base and bumps its portrevision to 10. I now notice that I did not mark attachment #241800 [details] as a patch, for which I apologise.
So, Hiroki being apparently distracted because I haven't seen things, I am claiming maintainer timeout (15d) and commandeering this ticket.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6ff53aa124d487f75e4bcdc2267f15acdc72f523 commit 6ff53aa124d487f75e4bcdc2267f15acdc72f523 Author: Nicholas Taylor <nicholas.e.taylor@gmail.com> AuthorDate: 2023-04-28 14:16:35 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-04-28 14:20:38 +0000 print/ghostscript9-agpl-base: add patch to fix CVE-2023-28879 and bump PORTREVISION. vulndb update in upcoming separate commit. Security: CVE-2023-28879 Security: 25872b25-da2d-11ed-b715-a1e76793953b PR: 270823 MFH: 2023Q2 Approved by: hrs@ through maintainer timeout, 15d print/ghostscript9-agpl-base/Makefile | 2 +- .../files/patch-base_cbcp.c (new) | 23 ++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5f57c067b60fc17e8b848a8e698c60a92dc765ac commit 5f57c067b60fc17e8b848a8e698c60a92dc765ac Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-04-28 14:20:47 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-04-28 14:20:47 +0000 security/vuxml: Update ghostscript CVE-2023-28879 entry and mark ghostscript9-agpl-base 9.56.1_10 as fixed, and remove ghostscript9-agpl-x11 which does not seem to be using the vulnerable code. Security: 25872b25-da2d-11ed-b715-a1e76793953b Security: CVE-2023-28879 PR: 270823 security/vuxml/vuln/2023.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
A commit in branch 2023Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=840aa2982c3036f0e05e89420d34476ce593260c commit 840aa2982c3036f0e05e89420d34476ce593260c Author: Nicholas Taylor <nicholas.e.taylor@gmail.com> AuthorDate: 2023-04-28 14:16:35 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-04-28 14:26:20 +0000 print/ghostscript9-agpl-base: add patch to fix CVE-2023-28879 and bump PORTREVISION. vulndb update in upcoming separate commit. Note I am bumping the branch to PORTREVISION=10 (not 9) as well so we have the fixed version on the same PORTREVISION, on branch and main line. Security: CVE-2023-28879 Security: 25872b25-da2d-11ed-b715-a1e76793953b PR: 270823 MFH: 2023Q2 Approved by: hrs@ through maintainer timeout, 15d (cherry picked from commit 6ff53aa124d487f75e4bcdc2267f15acdc72f523) print/ghostscript9-agpl-base/Makefile | 2 +- .../files/patch-base_cbcp.c (new) | 23 ++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-)
Nicholas, George, Trond, thanks for your support and work on this matter.
Note it will take a while before the vuxml database update will have propagated.
Comment on attachment 241800 [details] Modify vulndb to account for fixes in this PR So, the Bugzilla trick to get this marked as "patch" in hindsight is: - in the table listing attachments, click on details in the right hand column - then, on the new page with ...action=edit URL, you click the "Edit details", then you tick the "[ ] patch" checkbox, then you submit - which I am doing now, so it's easier to see the diff. For me, it was easier to do the change manually per Trond's and Nicholas's findings, and I also needed to bump the "modified" XML tag, so I made the changes myself.
(In reply to Matthias Andree from comment #22) Ah, I see now, thank you. And thank you for the support!
(In reply to Matthias Andree from comment #20) You're welcome, but you did the real work!
It looks like the vuxml change has now propagated out into the real world and I am no longer receiving the nags about the problem. Thank you!